> Namely, it seems a little too easy to shoot oneself in the foot by doing
> something as simple as putting a title tag with user content above it.
How? The mental model I have of CSP is that it mostly constrains
behavior, does not give new capabilities. So, injecting a new CSP
policy should mostly not be an issue. Am I missing some attack?
At a glance, the only directives that don't constrain further are with
the report-uri, reflected-xss, and referrer directive. If so, for meta
element CSP policies, maybe we can (a) limit report-uris to
same-origin (or disallow), (b) disallow 'allow' for reflected-xss, and
(c) disallow 'unsafe-url' for referrer.
~Dev